def addSampleByHash(hashes, event):
hash=""
if ( type(hashes) is list):
hash=hashes[0]
elif ( type(hashes) is str):
hash=hashes
hashes=[hash]
sample_json = _getSampleJson(hash)
if (sample_json is None):
return
sampl = GenericObjectGenerator('file')
sampl.add_attribute("md5", value=sample_json['md5_hash'], to_ids=True)
sampl.add_attribute("filename", value=sample_json['file_name'], to_ids=False, disable_correlation=True)
sampl.add_attribute("sha1", value=sample_json['sha1_hash'], to_ids=True)
sampl.add_attribute("sha256", value=sample_json['sha256_hash'], to_ids=True)
sampl.add_attribute("ssdeep", value=sample_json['ssdeep'], to_ids=True)
sampl.add_attribute("size-in-bytes", value=sample_json['file_size'], to_ids=False, disable_correlation=True)
sampl.add_attribute("state", value="Malicious", to_ids=False, disable_correlation=True)
sampl.add_attribute("mimetype", value=sample_json['file_type_mime'].replace('\\',''), to_ids=False, disable_correlation=True)
# if it exists, add the comment
if ( 'comment' in sample_json ):
comment=sample_json['comment']
if ( comment is not None ) and (len(comment) > 0):
commattrs=pm.freetext(event, comment)
for commattr in commattrs:
if (commattr['value'] in attributes):
attr=attributes[commattr['value']]
sampl.add_reference(referenced_uuid=attr.uuid, relationship_type='related-to')
else:
attr=event.add_attribute(commattr['type'], commattr['value'])
attributes.update({commattr['value']:attr})
sampl.add_reference(referenced_uuid=attr.uuid, relationship_type='related-to')
# find and add x-references
if ( 'file_information' in sample_json):
info=sample_json['file_information']
if (info is not None):
for context_set in info:
context=context_set['context']
value=context_set['value']
print("context: {}, value: {}".format(context, value))
if ( context in API_REF_CONTEXTS ):
ref_uuid=""
addedSample=None
# if referenced sample is not already represented, recursively create it and add to the event and to samples<dict>
if (( value not in samples ) and (value not in hashes) ) :
addedSample=addSampleByHash([value]+hashes, event)
if (addedSample is not None):
ref_uuid=samples[value].uuid
if (context == "dropped_by_sha256"):
sampl.add_reference(referenced_uuid=ref_uuid, relationship_type='dropped-by')
else:
sampl.add_reference(referenced_uuid=ref_uuid, relationship_type='drops')
elif ( context.casefold() in API_LINK_CONTEXTS ):
url_ref=value.replace('\\','')
attribute = None
if ( url_ref not in attributes):
attribute = event.add_attribute('url', url_ref, to_ids=False, disable_correlation=True)
attributes.update({attribute.value : attribute})
sampl.add_reference(referenced_uuid=attribute.uuid, relationship_type='related-to')
else:
sampl.add_reference(referenced_uuid=attributes[url_ref].uuid, relationship_type='related-to')
else:
print("Lost context: {}".format(context))
attribute = None
report_url="https://bazaar.abuse.ch/sample/{}/".format(hash)
if (report_url not in attributes):
attribute = event.add_attribute("url", "https://bazaar.abuse.ch/sample/{}/".format(hash), to_ids = False, disable_correlation=True)
attributes.update({attribute.value : attribute})
else:
attribute=attributes[report_url]
sampl.add_reference(referenced_uuid=attribute.uuid, relationship_type='derived-from')
sampl=event.add_object(sampl)
samples.update({hash:sampl})
return sampl
scandate = datetime.datetime.strptime(raw_report["scan_date"],
'%Y-%m-%d %H:%M:%S')
me = MISPEvent()
this_event_name = misp_event_name.format(scandate.strftime("%Y-%m-%d"))
search = pm.search(controller='events', eventinfo=this_event_name)
if (len(search) == 1):
me.load(search[0])
else:
me.info = this_event_name
pm.add_event(me)
vtreport = GenericObjectGenerator('virustotal-report')
vtreport.add_attribute("last-submission",
value=raw_report["scan_date"])
vtreport.add_attribute("permalink", value=raw_report["permalink"])
ratio = "{}/{}".format(raw_report["positives"], raw_report["total"])
vtreport.add_attribute("detection-ratio", value=ratio)
file_object = GenericObjectGenerator('file')
file_object.add_attribute("md5", value=raw_report["md5"])
file_object.add_attribute("sha1", value=raw_report["sha1"])
file_object.add_attribute("sha256", value=raw_report["sha256"])
file_object.add_attribute("ssdeep", value=raw_report["ssdeep"])
file_object.add_attribute("authentihash",
value=raw_report["authentihash"])
file_object.add_attribute("size-in-bytes", value=raw_report["size"])
if ("exiftool" in raw_report["additional_info"]):
file_object.add_attribute(
def genFileObj(sample):
sampl = GenericObjectGenerator('file')
sampl.add_attribute("md5", value=sample['md5_hash'], to_ids=True)
sampl.add_attribute("filename",
value=sample['file_name'],
to_ids=False,
disable_correlation=True)
sampl.add_attribute("sha1", value=sample['sha1_hash'], to_ids=True)
sampl.add_attribute("sha256", value=sample['sha256_hash'], to_ids=True)
sampl.add_attribute("ssdeep", value=sample['ssdeep'], to_ids=True)
sampl.add_attribute("size-in-bytes",
value=sample['file_size'],
to_ids=False,
disable_correlation=True)
sampl.add_attribute("state",
value="Malicious",
to_ids=False,
disable_correlation=True)
sampl.add_attribute("mimetype",
value=sample['file_type_mime'].replace('\\', ''),
to_ids=False,
disable_correlation=True)
return sampl
me = events[this_event_name]
else:
me.info = this_event_name
#Geolocation
geo = None
cc = data['geo_country']
country = pycountry.countries.get(alpha_2=cc)
if (country is not None):
if (me.info + cc in places):
geo = places[me.info + cc]
else:
geo = GenericObjectGenerator('geolocation')
geo.add_attribute(
"country",
value=pycountry.countries.get(alpha_2=cc).name)
me.add_object(geo)
places.update({me.info + cc: geo})
#x509
xfive = None
if ("issuer" in data):
if (len(data["issuer"]) > 2):
xfive = GenericObjectGenerator('x509')
xfive.add_attribute("issuer",
value=data["issuer"],
to_ids=True)
if (len(data["subject"]) > 0):
xfive.add_attribute("subject",
value=data["subject"],